CVE-2025-11632
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
29/10/2025
Last modified:
30/10/2025
Description
The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate links to billing portal, where they can view and modify billing information of the connected, account, generate chat session tokens, view domain status, etc.<br />
This vulnerability was partially fixed in version 1.5.4 and fully fixed in version 1.5.5
Impact
Base Score 3.x
4.30
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/CnbAdminAjax.php#L147
- https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/CnbAdminAjax.php#L154
- https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/CnbAdminAjax.php#L167
- https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/CnbAdminAjax.php#L21
- https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/CnbAdminAjax.php#L50
- https://plugins.trac.wordpress.org/browser/call-now-button/tags/1.5.3/src/admin/chat/class-cnb-chat-controller.php#L52
- https://www.wordfence.com/threat-intel/vulnerabilities/id/379547a2-6b22-4ec9-8570-a043dda7ec09?source=cve